Benaloh's Dense Probabilistic Encryption 

Revisited* 



Laurent Fousse 1 , Pascal Lafourcade 2 , and Mohamed Alnuaimi 3 

1 Universite Grenoble 1 
CNRS 

Laboratoire Jean Kuntzmann 
France 
Laurent . FousseOimag . f r 
Universite Grenoble 1 
CNRS 
Verimag 
France 

Pascal . Laf ourcadeOimag . f r 

3 ENSIMAG 
France 

alnuaimi . mohdOgmail . com 



Abstract. In 1994, Josh Benaloh proposed a probabilistic homomor- 
phic encryption scheme, enhancing the poor expansion factor provided by 
Goldwasser and Micali's scheme. Since then, numerous papers have taken 
advantage of Benaloh's homomorphic encryption function, including vot- 
ing schemes, computing multi-party trust privately, non-interactive ver- 
ifiable secret sharing, online poker... In this paper we show that the 
original description of the scheme is incorrect, possibly resulting in am- 
biguous decryption of ciphertexts. We give a corrected description of the 
scheme and provide a complete proof of correctness. We also compute 
the probability of failure of the original scheme. Finally we analyze sev- 
eral applications using Benaloh's encryption scheme. We show in each 
case the impact of a bad choice in the key generation phase of Benaloh's 
scheme. For instance in the application of e- voting protocol, it can inverse 
the result of an election, which is a non negligible consequence. 

Keywords: homomorphic encryption, public-key encryption, Benaloh's 
scheme. 



1 Introduction 

In the literature there are several homomorphic encryption schemes as for in- 
stance schemes proposed by Goldwasser-Micali [GM82] , ElGamal [Elg85] , Be- 
naloh Ben94), Naccache and Stern |NS98j . Okamoto and Uchiyama [OU98 , 
Paillier [Pai99] and its generalization proposed by Damgard and Jurik |DJ01] . 



* This work was supported by ANR SeSur SCALP, SFINCS, AVOTE. 



Sander, Young and Yung |SYY99j . Gaborit and Aguillar |MGH10j . In this pa- 
per we focus our attention on Benaloh's encryption scheme. In |CF07j a survey 
of existing homomorphic encryption schemes is proposed for the non specialist. 
In |Aki09j the author also proposes a description and a complexity analysis of 
different existing homomorphic encryption schemes. In |Rap06| , the author con- 
siders homomorphic cryptosy stems and their applications. In all these papers 
authors mention existing homomorphic encryption schemes and give descriptions 
of such schemes including Benaloh's scheme. Homomorphic encryption schemes 
have several applications. We only cite applications that are using Benaloh's 
scheme as for example voting schemes (BT94 RV05 CB87], computing multi- 
party trust privately CDN01 JKM05 DGKIO], non-interactive verifiable secret 
sharing |CB87j . online poker |Gol05| ... 

Despite all these papers on applications and implementations realized by all 
these specialists, we were surprised to discover that the condition in the key 
generation of Benaloh's scheme can in some cases lead to an ambiguous en- 
cryption. How is it possible that after all these papers, results, protocols, even 
implementations and more than fifteen years nobody noticed it? In order to an- 
swer this question we will explicitly express the failure probability of the original 
scheme in Section [5] How did we discover this problem? We wanted to perform a 
time comparison of the efficiency of some well-known homomorphic encryptions. 
We proposed a methodology for testing their performance on large randomly 
generated data. So we started to code some of the encryption and decryption 
functions of homomorphic primitives. Benaloh's was one of the first one that we 
have tried. We were surprised to see that on some randomly generated instances 
of Benaloh's parameters our decryption function was not able to recover the cor- 
rect plaintext. After verifying our code several times according to the conditions 
given in the original paper we were not able to understand why our code did 
not give the right plaintext. So we investigated more and were able to gener- 
ate several counter-examples (one example of problematic parameters is given 
in Section [3]) and more interestingly we clearly understood why and where the 
scheme failed. Indeed the bug is due to a very small detail, hence we proposed 
a revisited version of Benaloh's dense probabilistic encryption. 

Contributions: The first contribution is that the original scheme proposed by 
Benaloh in [Ben94j does not give a unique decryption for all ciphertexts. We 
exhibit a simple example in the rest of the paper and characterize when this 
can happen and how to produce such counter-examples. Indeed the problem 
comes from the condition in the generation of the public key. The condition is 
not strong enough and allows to generate such keys that can for some plaintexts 
generate ambiguous ciphertexts. 

Hence our second contribution is a new condition for the key generation 
which avoids such problem. We not only propose a new correct condition but 
also give an equivalent practical condition that can be used for implementations. 
We also compute the probability of failure of the original scheme, in order to 
justify why nobody discovered the problem before us. 
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Finally we describe some applications using explicitly Benaloh's scheme. In 
each case we briefly explain how the application works on a simple example. 
With these examples we clearly show that if our new condition is not used then 
the wrong key generation can have important consequences. In the case of the 
e-voting protocol it can change the result of an election; for private multi-party 
trust computation it can really impact the trust that somebody can have in 
someone. 

Outline: In Section[2]we recall the original Benaloh scheme. In Section[3]we give 
a small example of parameters following the initial description and where we 
have ambiguous decryption. Then in Section [4] we give a corrected description 
of the scheme, with a proof of correctness. The probability of choosing incorrect 
parameters in the initial scheme is discussed in Section[5j In Section[5]we discuss 
some schemes related to Benaloh's scheme. Finally before concluding in the last 
section, we demonstrate using some applications that the problem we discover 
can have serious consequences. 

2 Original Description of Benaloh's Scheme 

Benaloh's "Dense Probabilistic Encryption" |Ben94) describes an homomorphic 
encryption scheme with a significant improvement in terms of expansion factor 
compared to Goldwasser-Micali [GM821 . For the same security parameter (the 
size of the RSA modulus n), the ciphertext is in both cases an integer mod n, 
but the cleartext in Benaloh's scheme is an integer mod r for some parameter r 
depending on the key, whereas the cleartext in Goldwasser-Micali is only a bit. 
When computing the expansion factor for random keys, we found that it is most 
of the times close to 1/2 while it is |~log 2 (n)] for Goldwasser-Micali. We now 
recall the three steps of the original scheme given in Benaloh's paper |Ben94j . 

Key Generation The public and private key are generated as follows: 

— Choose a block size r and two large primes p and q such that : 

• r divides (p — 1). 

• r and (p — l)/r are relatively prime. 

• r and q — 1 are relatively prime. 

• n = pq. 

— Select y £ (Z n )* = {x € Z„ : gcd(a;,n) = 1} such that 

y^ /r ^ 1 mod n (1) 
where ip denotes (p — X)(q — 1). 
The public key is (y, r, n), and the private key is the two primes p, q. 

Encryption If m is an element in Z r and u a random number in (Z n )* then we 
compute the randomized encryption of m using the following formula: 

E r (m) = {y m u r mod n : u G (Z„)*}. 
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Decryption We first notice that for any m, u we have: 

fy m u r \(p- l ){Q- 1 )/ r = ym(p—i)(q-i)/r u (p-i){q-i) = y m (p- 1 )(q- 1 )/ r moc j n _ 

Since m < r and t/fa -1 )^ 1 )/ 7 " ^ 1 mod n, Bcnaloh concludes that m = 
if and only if (y m u r )(p~ 1 K<?-i)/'' = \ moc [ re< go if z = y m u r mod n is an 
encryption of m, given the secret key p, q we can determine whether m = 0. 
If r is small, we can decrypt z by doing an exhaustive search of the smallest 
non-negative integer m such that (y~ m z mod n) g E r (0). By precomputing 
values and using the baby-step giant-step algorithm it is possible to perform 
the decryption in time 0(y/r). Finally if r is smooth we can use classical index- 
calculus techniques. More details about these optimization of decryption are 
discussed in the original paper [Ben94j . 

We remark that there is a balance to find between three parameters in this 
cryptosystem: 

— ease of decryption, which requires that r is a product of small prime powers, 

— a small expansion factor, defined as the ratio between the size of the cipher- 
texts and the size of the cleartexts. Because p and q have the same size and 
r | p — 1, this expansion factor is at least 2, 

— robustness of the private key, meaning that n should be hard to factor. In 
the context of the P-l factorization method |Pol74| . a big smooth factor of 
p — 1 is a definite weakness. 

We notice that the cryptosystem of Naccache- Stern [NS98] . similar to Benaloh's 
scheme, addresses this issue and by consequence do not produce ambiguous 
encryption. 

3 A Small Counter-Example 

We start by picking a secret key n = pq — 241 x 179 = 43139, for which we can 
pick r = 15. Algorithm [T] may be used to compute the maximal suitable value 
of the r parameter if you start by picking p and q at random, but a smaller and 
smoother value may be used instead for an easier decryption. 



Algorithm 1 Compute r from p and q. 
r p — 1 

while gcd(g — 1, r) ^ 1 do 

r <s— r I gcd(r, q — 1) 
end while 



We verify that r — 15 divides p — 1 = 240 = 16 x 15, r and (p— l)/r = 16 are 
relatively prime, r — 15 = 3 x 5 and q — 1 = 178 = 2 x 89 are coprime. Assume 
we pick y = 27, then gcd(y,n) = 1 and y(P~ 1 )( ( i- 1 )/ r = 40097 ^ 1 mod n so 
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according to Bcnaloh's key generation procedure all the original conditions are 
satisfied. 

By definition, z\ — y 1 f2 r = 24f87 is a valid encryption of mi = f, while 
z 2 — 2/ 6 4 r = 24f87 = z\ is also a valid encryption of mi = 6. In fact we can 
verify that with this choice of y, the true cleartext space is now Z5 instead of 
Zi 5 (hence the ambiguity in decryption): first notice that in Z p , y 5 = 8 = 4I 15 . 
This means that a valid encryption of 5 is also a valid encryption of 0. For any 
message m, the set of encryptions of m is the same as the set of encryptions of 
m + 5, hence the collapse in message space size. The fact that the message space 
size does not collapse further can be checked by brute force with this small set 
of parameters. 

For this specific choice of p and q, there are — -<p(ri) = 39872 possible values 
of y according to the original paper, but 17088 of them would lead to an am- 
biguity in decryption (that's a ratio of 3/7), sometimes decreasing the cleartext 
space to Z3 or Z5 . Details are provided in Section [5] 

4 Corrected Version of Benaloh's Scheme 

Let j be a generator of the group Z*, and since y is coprime with n, write 
y = g a mod p. We will now state in Theorem Q] our main contribution: 

Theorem 1 The following properties are equivalent: 

a) a and r are coprime; 

b) decryption works unambiguously; 

c) For all prime factors s of r, we have y( v ' s > =^ 1 mod n. 

Of course property (jb| is what we expect of the scheme, while (jaj) is useful 
to analyze the proportion of invalid y's and (jsj) is more efficient to verify in 
practice than (fa}, especially considering that in order to decrypt efficiently the 
factorization of r is assumed to be known. 

Proof. We start by showing (jaj) => jb|. Assume two messages mi and m.2 are 
encrypted to the same element using nonce U\ and U2- 

y mi u\ = y m2 u r 2 mod n. 

Reducing mod p we get: 

g a( mi -m 2 ) = (u 2 / Ux y mo d p 

and using the fact that g is a generator of (Z/pZ)*, there exists some (3 such 
that 

g a( mi - m2 ) =g flr modp 

which in turns implies 

a{m\ — m-i) = (3r mod p — 1. 
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By construction of r, we can further reduce mod r and get 

a(mi — m^) = mod r 

and since r and a are coprime, we can deduce mi = 7712 mod r, which means 
that decryption works unambiguously since the cleartexts are defined mod r. 

We now prove that (jg) =>■ (jg). Assume that there exists some prime factor s 
of r such that 

yte/') = 1 moc j n . 

As above, by reducing mod p and using the generator g of (Z/pZ)* we get 

a-=0modp-l. (2) 

s 

Let k — v s (r) the s-valuation of p— 1 and write a = us+fj, the Euclidean division 
of a by s. By construction we have v s ((p) = k. When reducing @ mod s k we 
can remove all factors of tp that are coprime with s, so we get 

as' -1 = mod s h 
ixs k ~ l = mod s fc 

/i = mod s 

/i = 

and a and r are not coprime. 

We now prove (jcj) => (ja}. Assume a and r are not coprime and denote by s 
some common prime factor. Then 

yifP/') =g °"P/s mo dp 

— g( a / s *>v mod p = 1 mod p. 

And by construction of r, s { 5 — 1 so y^' s > = 1 mod 

We now prove Jb| =>■ (jaj). Assume two different cleartexts mi 7^ r»2 mod r 
are encrypted to the same ciphertext using nonces u\ and U2- 

y m ^ul = y m2 u r 2 mod n. 
As before, we focus on operations mod p and we get 

a(mi — 7712) = mod r. 
If a were invertible mod r, we would get an absurdity. 

Notice than in the example of Section[3]we have y(p _1 )(9~ 1 )/ 3 = 1 mod n so 
condition (jcj) is not satisfied. We claimed that the real ciphertext space is now 
Z5 , and we give a precise analysis of the cleartext space reduction at the end of 
Section [5] 
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5 Probability of Failure of Benaloh's Scheme 



We now estimate the probability of failure in the scheme as originally described. 
For this we need to count the numbers y that satisfy condition ([1} and not 
property (jg) of Theorem [TJ We call these values of y "faulty" . 

Lemma 1 Condition {Ip is equivalent to the statement: r j a. 

Proof. Assume that r divides a: a = rot 1 . So 

yV /r = gav /r mod n 

= [g a 'y modn 
= 1 mod n. 

Conversely, if y^l r = 1 mod n, then 

g aip/r = 1 mod n 
= 1 mod p 

ip 

a— — mod p — 1. 

r 

Since r divides p — 1 and is coprime with ^ (by definition), we have r \ a. 

Since picking y € (Z p )* at random is the same when seen mod p as picking 
a G {0, . . . ,p — 2} at random, we can therefore conclude that the proportion p 
of faulty y's is exactly the proportion of non-invertible numbers mod r among 
the non-zero mod r. So p = 1 — £^1. We notice that this proportion depends on 
r only, and it is non-zero when r is not a prime. Since decryption in Benaloh's 
scheme is essentially solving a discrete logarithm in a subgroup of Z p of order r, 
the original schemes recommends to use r as a product of small primes' powers, 
which tends to increase p. In fact, denoting by (pi) the prime divisors of r we 
have: 

T 1 . Pi ±L Pi 

which shows that the situation where decryption is easy also increases the pro- 
portion of invalid y when using the initial description of the encryption scheme. 
As a practical example, assume we pick two 512 bits primes p and q as 

p = 2 x (3 x 5 x 7 x 11 x 13) x p + 1 

p> = 4464804505475390309548459872862419622870251688508955\ 
5037374496982090456310601222033972275385171173585381\ 
3914691524677018107022404660225439441679953592 
q = 1005585594745694782468051874865438459560952436544429\ 
5033292671082791323022555160232601405723625177570767\ 
523893639864538140315412108959927459825236754568279. 



7 



Then 



gcd(<j-l,p-l)=2 

r = (3 x 5 x 7 x 11 x 13) x p' 

r 2 4 6 10 12 p' 

p = 1 X-X-X-X — X — X 



r - 1 3 5 7 11 13 p> - 1 
p > 61%. 

This example was constructed quite easily: first we take p' of suitable size, and 
increase its value until p is prime. Then we generate random primes q of suitable 
size until the condition gcd(p — 1, q — 1) = 2 is verified; it took less than a second 
on a current laptop using Sage [S + 10 . 



Putting it all together, we can also characterize the faulty values of y, together 
with the actual value r' of the cleartext space size (compared to the expected 
value r): 

Lemma 2 Let u = gcd(a, r). Then r' = ^. Moreover if r' ^ r, this faulty value 
of y goes undetected by the initial condition as long as u =/= r. 

The proof of the first implication in Theorem Q] is easily extended to a proof of 
the first point of this lemma, while the second point is a mere rephrasing of the 
previous lemma. 

This result can be used to craft counter-examples as we did in Section |3J 
for a valid value y of the parameter and u a proper divisor of r, the value 
y' = y u mod n is an undetected faulty value with actual cleartext space size 
r' = r/u. It can also be used to determine precisely, for every proper divisor 
r' of r the probability of picking an undetected faulty parameter y of actual 
cleartext space size r'. Such an extensive study was not deemed necessary in the 
examples to follow in Section [7] 



6 Related Schemes 

We briefly discuss in this section some schemes related to that of |Ben94| . 

In BT94 , the authors describe a cryptosystem which closely resembles that 
of |Ben94j . but the conditions given on r are less strict. Let us recall briefly the 
parameters of the cryptosystem as described in [BT94 : 

— r | p — 1 but r 2 \ p — 1. 

— r\q-l. 

— y is coprime with n and y(p~ 1 )( < ?-i)/»' ^ \ m od n. 

It is clear that r 2 \ p — 1 is weaker than gcd((p — 1) jr. r) = 1, and that r { q — 1 is 
weaker than gcd(g — 1, r) — 1. Therefore any set of parameters satisfying |Ben94] 
are also valid parameters as defined in [BT94 . 

Unfortunately the condition imposed on y is the same and still insufficient, 
and finding counter-examples is again a matter of picking a not coprime with 
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r. Our theorem still stands for this cryptosystem if you replace condition (jnj) by 
the following condition: 

For all prime factors s of r, we have yiP' 1 )/* 1 ^ 1 mod p. (3) 

Going back in time, the scheme of Goldwasser and Micali |GM82j can be 
seen as a precursor of JBT94] with a fixed choice of r = 2. The choice of y 
in |GM82j as a quadratic non- residue mod n is clearly an equivalent formulation 
of condition 

Before [Ben94j and [BT94] . the scheme was defined by Benaloh in |Ben87j . 
with the parameter r being a prime. In this case our condition (jgj) is the same 
as the one proposed by Benaloh, and the scheme in this thesis is indeed correct. 
The main difference between the different versions proposed afterwards and this 
one is that it is not required for r to be prime, which leads in some cases to 
ambiguous ciphers. This remark clearly shows that all details are important in 
cryptography and that the problem we discover is subtle because even Benaloh 
himself did not notice it. 

Finally the scheme proposed by Naccache and Stern [NS98] is quite close to 
the one proposed in [Bcn87 but with a parameterization of p and q. It makes de- 
cryption correct, efficient, and leaves the expansion factor as an explicit function 
of the desired security level with respect to the P — 1 method of factoring [Pol74 
(the expansion is essentially the added size of the big cof actors of p— 1 and q — 1). 
We note in passing that a modulus size of 768 bits was considered secure at the 
time, a fact disproved twelve years later [KAF + 10] only! 

7 Applications 

In this last section, we present some applications which explicitly use Benaloh's 
encryption scheme. We analyze in each situation what are the consequence on 
the application of using a bad parameter produced during the key generation. 

7.1 Receipt-free Elections 

In |BT94j the authors propose an application of homomorphic encryption for 
designing new receipt-free secret-ballot elections. They describe two protocols 
which use an homomorphic encryption verifying a list of properties. They also 
give in Appendix of the paper a precise description of a encryption scheme which 
satisfies their properties. Its relation with |Ben94j is given in section [SJ 

The new voting protocol uses the fact that the encryption is homomorphic 
and probabilistic. If we have two candidates Nicolas and Segolene then the system 
associates for instance the ballot for Nicolas and the ballot 1 for Segolene. The 
main idea is that the server collects the m authenticated encrypted ballots {v{\k 
corresponding to the choices Vi of the m voters. Hence the server performs the 
multiplication of all these votes and decrypts the product once to obtain the 
result. The number obtained corresponds to the number of votes for Segolene 
ns and the difference m — ng gives the number of votes for Nicolas. 
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We construct a basic application of the first protocol proposed in |BT94j and 
based on the example described in Section [3] In this example we consider only 
20 voters. If the encryption is correctly done then the final result is {14}fc. It 
means that after decryption Segolene has 14 votes and Nicolas has 6 votes. But 
if as we explain in Section [3] instead of computing the result 14 mod 15 we are 
taking the result modulo 5, then we obtain a result of 14 mod 5 = 4. This time 
Nicolas obtains 16 votes and Segolene only 4. This example clearly shows that 
this bug in the condition in the original paper can have important consequences. 

7.2 Private Multi-Party Trust Computation 

In |DGK10] the authors give a multiple private keys protocol for private multi- 
party computation of a trust value: an initiating user wants to know the (possibly 
weighted) average trust the network of nodes has in some user. In a first phase 
of the protocol, each of the n nodes splits its trust t in n — 1 shares (sj) such 
that 

t = Si + S2 + . . . + s„_i mod r. 

Here r is a common modulus chosen big enough with respect to the maximum 
possible global trust value, and in order to insure the privacy of its trust value the 
shares should be taken as random number mod r, except for the last one. The 
shares are then sent encrypted (using Benaloh's scheme) to each other user, to 
be later recombined. If we assume that one of the users has chosen a faulty value 
for his public parameter y, then his contribution to the recombined value will 
be computed mod r' instead of mod r for some divisor r' of r. As an extreme 
example, assume 

— that the queried user is a newcomer, untrusted by anyone (hence the private 
value of t for every node is 0), 

— that the true recombined value contributed by the faulty user should have 
been r — 1, 

— that r' = r/3. 

Due to his miscalculation, the faulty node will contribute the value r' — 1 instead 
of —1, causing the apparent calculated trust value to be quite high (about 1/3 of 
the maximum possible trust value, instead of 0). This can have dramatic conse- 
quences if the trust value is used later on to grant access to some resource. These 
assumptions are not entirely unlikely: remember that r — 3 fe is an explicitly sug- 
gested choice of parameter of the cryptosystem (chosen for instance in JKM05J) 
in which case p is close to 1/3 and faulty nodes occur with high probability even 
with moderate-sized networks. We note also that the description from |Ben94j is 
given in extenso, with its incorrect condition. One reason for choosing Benaloh's 
cryptosystem in this application is because the cleartext space can be common 
among several private keys, a feature unfortunately not achieved e.g. by Paillier's 
cryptosystem }Pai99j but also possible with Naccache-Stern's |NS98j . 
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7.3 Secure Cards Dealing 



Another application of this encryption scheme is given in GolQ5j : securely deal- 
ing cards in poker (or similar games). Here again the author gives the complete 
description of the original scheme, with a choice of parameter r — 53 (which 
is prime). Because r is prime, this application does not suffer from the flaw ex- 
plained here, but this choice of a prime number is done for reasons purely internal 
to the cards dealing protocol, namely testing the equality of dealt cards. 

Given two ciphertext E{m\) and E{m,2), the players need to test if m\ — m 2 
without revealing anything more about the cards mi and m-2.. The protocol is 
as follows: 

1. Let m = mi — rri2, each player can compute E(m) = E(m\) / E(rri2) because 
of the homomorphic property of the encryption. 

2. Each player Pj secretly picks a value < on < 53, computes E{m) ai and 
discloses it to everyone. 

3. Each player can compute \\ i E(m) ai — E(m) a with a = ^ a*. The players 
jointly decrypt E(m) a to get the value ma mod r. 

Now because for each player the value of a is unknown and random, if ma =/= 
mod r then the players learn nothing about m. Otherwise they conclude that 
the cards are equal. 

We claim that this protocol fails to account for two problems: 

— there is no guarantee that a / mod r. When this happens, two distinct 
cards will be incorrectly considered equal. 

— knowing the value of E(m) and E(m) ai , it is easy to recover ai because 
of the small search space for ai. This means the protocol leaks information 
when mi / m<x- The fix here is to multiply by some random encryption of 
0. 



8 Conclusion 

We have shown that the original definition of Benaloh's homomorphic encryp- 
tion does not give sufficient conditions in the choice of public key to get an 
unambiguous encryption scheme. We gave a necessary and sufficient condition 
which fixes the scheme. Our discussion on the probability of choosing an incor- 
rect public key shows that this probability is non negligible for parameters where 
decryption is efficient: for example using the suggested value of the form r — 3 fe , 
this probability is already close to 1/3. We also explain on some examples what 
can be the consequences of the use of the original Benaloh scheme. In fact, it 
is surprising this result was not found before, considering the number of appli- 
cations built on the homomorphic property of Benaloh's scheme. This strongly 
suggests this scheme was rarely implemented. 
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